You are on page 1of 37

Identity and Access Management: Overview

Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.


Build a good conceptual background to enable later technical discussions of the subject Overview the problems and opportunities in the field of identity and access management Introduce terminology Highlight a possible future direction


Session Agenda
Identity Problem of Today Identity Laws and Metasystem Components and Terminology Roadmap

4 Identity Problem of Today .

often mutuallyincompatible.5 Universal Identity? Internet was build so that communications are anonymous In-house networks use multiple. proprietary identity systems Users are incapable of handling multiple identities Criminals love to exploit this mess .

6 Explosion of IDs # of Digital IDs Business Partners Automation (B2B) Company (B2E) Customers (B2C) Mobility Internet Client Server Mainframe Time Pre 1980’s 1980’s 1990’s 2000’s .

Multiple user IDs. multiple passwords Decentralized management. ad hoc data sharing .7 The Disconnected Reality •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data HR System NOS Lotus Notes Apps Infra Application COTS Application In-House Application In-House Application Enterprise Directory •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data “Identity Chaos” Lots of users and systems required to do business Multiple repositories of identity information.

process automation Value chain Your COMPANY and your EMPLOYEES M&A Mobile/global workforce Flexible/temp workforce Your REMOTE and VIRTUAL EMPLOYEES Your PARTNERS . personalization Your CUSTOMERS Your SUPPLIERS Collaboration Outsourcing Faster business cycles.8 Multiple Contexts Customer satisfaction & customer intimacy Cost competitiveness Reach.

Basel II. eMarketer. U.5 billion spend in 2005 on compliance (analyst estimate) Deeper Line of Business Automation and Integration One half of all enterprises have SOA under development Web services spending growing 45% CAGR Increasing Threat Landscape Identity theft costs banks and credit card issuers $1. 21 CFR Part 11. HIPAA.9 Trends Impacting Identity Rising Tide of Regulation and Compliance SOX. GLB. AMR Research. of Justice . … $15.S.2 billion in 1 yr $250 billion lost in 2004 from exposure of confidential info Maintenance Costs Dominate IT Budget On average employees need access to 16 apps and systems Companies spend $20-30 per user per year for PW resets Data Sources: Gartner. IDC. Department.

10 Pain Points IT Admin Developer End User Security/ Compliance Business Owner Too many user stores and account admin requests Unsafe sync scripts Redundant code in each app Rework code too often Too many passwords Long waits for access to apps. resources Too many orphaned accounts Limited auditing ability Too expensive to reach new partners. channels Need for control .

Giga Information Group Password Management “Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.000 managed users” “Reduced help desk costs: $75 per user per year” .11 Possible Savings Directory Synchronization “Improved updating of user data: $185 per user/year” “Improved list management: $800 per list” .000 per year per 1.Giga Information Group .” – Gartner User Provisioning “Improved IT efficiency: $70.

12 Can We Just Ignore It All? Today. often with individual directories Regulators are becoming stricter about compliance and auditing Orphaned accounts and identities lead to security problems Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005 . average corporate user spends 16 minutes a day logging on A typical home user maintains 12-18 identities Number of phishing and pharming sites grew over 1600% over the past year Corporate IT Ops manage an average of 73 applications and 46 suppliers.

13 One or Two Solutions? Better Option: Build a global. federated identity metasystem based on standards Federate it to others. universal. system-by-system But: both solutions could share the same conceptual basis . federated identity metasystem Will take years… Quicker Option: Build an in-house.

14 Identity Laws and Metasystem .

15 Lessons from Passport Passport designed to solve two problems Identity provider for MSN 250M+ users. 1 billion logons per day Significant success Identity provider for the Internet Unsuccessful: Not trusted “outside context” Not generic enough Meant giving up control over identity management Cannot re-write apps to use a central system Learning: solution must be different than Passport .

16 Idea of an Identity Metasystem Not an Identity System Agreement on metadata and protocols. allowing multiple identity providers and brokers Based on open standards Supported by multiple technologies and platforms Adhering to Laws of Identity With full respect of privacy needs .

17 Roles Within Identity Metasystem Identity Providers Organisations. Relying Parties Online services or sites. even end-users They provide Identity Claims about a Subject Name. age. vehicles allowed to drive. etc. governments. doors. etc. Subjects Individuals and other bodies that need its identity established .

18 Metasystem Players Identity Providers Issue identities Relying Parties Require identities Subjects Individuals and other entities about whom claims are made .

19 Identity Metasystem Today Basically. the set of WS-* Security Guidelines as we have it Plus Software that implements the services Microsoft and many others working on it Companies that would use it Still to come. but early adopters exist End-users that would trust it Will take time .

Justifiable Parties 1. User Control and Consent 2. Directed Identity 5. Pluralism of Operators and Technologies 6. Consistent Experience Across Contexts . Minimal Disclosure for a Constrained Use 3. Human Integration 7.20 Identity Laws www.

we need a solution before it becomes a reality Following the principles seems a good idea while planning immediate solutions Organic growth likely to lead to an identity metasystem in long term .21 Enterprise Applicability That proposed metasystem would work well inside a corporation Of course.

Rich Claims Authorization PKI is still too restrictive. but it is clearly a component of a possible solution .22 Enterprise Trends Kerberos is very useful but increasingly it does not span disconnected identity forests and technologies easily We are moving away from static Groups and traditional ACLs… Increasingly limited and difficult to manage on large scales …towards a dynamic combination of: Role-Based Access Management. and.

23 Components and Terminology .

24 What is Identity Management? Web Services Security Authorization .

and security credentials A system of procedures. manage account and entitlement changes.25 Identity and Access Management Directory Services Repositories for storing and managing accounts. and track policy compliance . identity information. policies and technologies to manage the credentials lifecycle The process of authenticating and Access controlling access to networked resources Management and entitlements of electronic based on trust and identity credentials Identity Lifecycle Management The processes used to create and delete accounts.

26 Remember the Chaos? •Authentication •Authorization •Identity Data HR System NOS Lotus Notes Apps Infra Application COTS Application In-House Application In-House Application •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data Enterprise Directory •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data .

27 Identity Integration •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data •Authentication •Authorization •Identity Data Enterprise Directory HR System Student Admin Lotus Notes Apps Infra Application COTS Application In-House Application In-House Application Identity Integration Server .

28 IAM Benefits Benefits today (Tactical) Save money and improve operational efficiency Improved time to deliver applications and service Enhance Security Benefits to take you forward (Strategic) New ways of working Improved time to market Regulatory Compliance and Audit Closer Supplier. Customer. Partner and Employee relationships .

29 Some Basic Definitions Authentication (AuthN) Verification of a subject’s identity by means of relying on a provided claim Identification is sometimes seen as a preliminary step of authentication Collection of untrusted (as yet) information about a subject. rights or privileges can the subject be allowed Trend towards separation of those two Or even of all three. such as an identity claim Authorization (AuthZ) Deciding what actions. if biometrics are used .

30 Components of IAM Administration User Management Password Management Workflow Delegation Authentication Authorization Administration Authentication Access Management Authorization Identity Management Account Provisioning Account Deprovisioning Synchronisation Reliable Identity Data .

31 IAM Architecture .

32 Roadmap .

33 Microsoft’s Identity Management Directory (Store) Services Access Management Identity Lifecycle Management Identity Integration Server Active Directory & ADAM Active Directory Federation Services Extended Directory Services Authorization Manager BizTalk PKI / CA Enterprise Single Sign On Audit Collection Services Services for Unix / Services for Netware ISA Server SQL Server Reporting .

WizeKey) ADFS. Partner (eg. Vintela/Centrify Sharepoint ESSO. RSA – SecurID. SFN. Vintella/Centrify) Federation ADFS . Partner Solutions (Ultimus BPM. RSA) and traditional approaches Directory & Password Synchronization SSO (Intranet) Enterprise SSO (Intranet) Strong Authentication Web SSO Integration of UNIX/Novell MIIS & Partner solutions Kerberos/NTLM. BizTalk ESSO. Partner (eg. CA/PKI. MCLMS. RSA – ClearTrust) SFU. HIS ESSO SmartCards. SAP) Role-Based Access Control Authorization Manager or Partner Solutions (ex: OCG.34 Components of a Microsoft-based IAM Infrastructure Directory Active Directory Application Directory Lifecycle Management Workflow AD/AM (LDAP) MIIS BizTalk. Partner (eg.

35 Summary .

microsoft.36 Summary We have reached an “Identity Crisis” both on the intranet and the Internet Identity Metasystem suggests a unifying way forward Identity and Access Management systems need to be built so enterprises can benefit immediately Microsoft is rapidly becoming a strong provider of IAM technologies and IM vision & & www.

Ronny Bjones. Olga Londer – planning and reviewing Philippe Lemmens. with special thanks to: Daniel Meyer – thanks for many slides Steven Adler. Detlef Eckert – Sponsorship Bas Paumen & NGN .com Microsoft.37 Special Thanks This seminar was prepared with the help of: Oxford Computer Group Ltd Expertise in Identity and Access Management (Microsoft Partner) IT Service Delivery and Training .oxfordcomputergroup.